Thanks a lot for this article am going to visit my app and give it more enhancement concerning security. I have one question though. I have an app for listings where users post listings and an email is send to them with a link to click for activation how can I validate this since it's coming through GET variable.

There are 2 kinds of input in your application: listings and confirmation keys. If I didn't misunderstand, your question is about the confirmation keys.

They're probably an hexadecimal hash, so you can use the regular expression

/^[0-9a-f]+$/i

If the hash is not hexadecimal, you can still limit its size, and probably restrict the characters allowed (alphanumerical? or custom regexp?).

EDIT: Being GET or POST data changes nothing on validation. An application even has to validate other inputs, like updloaded files' content.

I think it has no effect...
the correct way is to use findAllByAttributes

That was a typo, I fixed it. Thanks.

Quote

In Authentication

I think a good solution is to generate a random salt in db [...]

Yes, we need to salt passwords, but that's not enough. What the library PHPass does is applying random salting, choosing the best encrypting algorithm available, iterating it a high number of times... What you propose is a good first step, but it is less secure than this library, whose author is a security expert, also the author of the famous "john the ripper". And even your simple code isn't not simpler than my suggested code that uses PHPass.

I'll update the article to explain in a few words what the library does.

When allowing users to edit records I think one thng to state in the article is how to use bizrules and findbypk() to prevent users from changing rows that they do not own. Also I have found it much more secure to only ever do a initial find on PK when trying to find a record that a user is editing (when going to save or something) since finding on other attributes could lead to ambiquity opening a potential (small but possible) door for users to effect the bizrules in such a manner so as to change records that they do not own or a record not associated with that particular page/section/whatever.

When allowing users to edit records I think one thng to state in the article is how to use bizrules and findbypk() to prevent users from changing rows that they do not own. Also I have found it much more secure to only ever do a initial find on PK when trying to find a record that a user is editing (when going to save or something) since finding on other attributes could lead to ambiquity opening a potential (small but possible) door for users to effect the bizrules in such a manner so as to change records that they do not own or a record not associated with that particular page/section/whatever.

Dunno if this is security or common sense though to be honest.

Hi Sammaye

What you describe is the domain of Authorization, i.e. ensuring users only have access to the resources they have permissions on.

The wiki page I wrote completely skips this subject for now. It could be a section of the page, but I believe it should be on a separate page. It is a lengthy subject, and the way Yii implements it is rather complex. Maybe this wiki page could contain links to the official guide and to other wiki pages on this. I'll look for resources.

at 2011/11/22 09:18pm, yangmls wrote the comment:
That was a typo, I fixed it. Thanks.

Yes, we need to salt passwords, but that's not enough. What the library PHPass does is applying random salting, choosing the best encrypting algorithm available, iterating it a high number of times... What you propose is a good first step, but it is less secure than this library, whose author is a security expert, also the author of the famous "john the ripper". And even your simple code isn't not simpler than my suggested code that uses PHPass.

I'll update the article to explain in a few words what the library does.

Yes, I read the source of the PHPass, I find it use php crypt function to encrypt and put the encrypted password as the salt.

Yeah, You are right, but I just want to express the importance of salt.